b'                                            OFFICE OF INSPECTOR GENERAL\n                                                                   MEMORANDUM\n\n\n\nDATE:          May 17, 1995\n\nTO:            Chairman\n\nFROM:          Acting Inspector General\n\nSUBJECT:       Internet Penetration Analysis\n\nAs part of our on-going effort to ensure protection of the Commission\'s information resources,\nthis office has recently completed an Internet Penetration Analysis. The purpose of this analysis\nwas to evaluate the controls in place to prevent an unauthorized and potentially hostile\npenetration of the internal FCC network via the internet.\n\nIn general, our review indicates that the Associate Managing Director - Information\nManagement (AMD-IM) has established effective controls over access to the internal FCC\nnetwork from external sources. These controls include use of a firewall to manage data traffic,\ncontrol over the use of potentially risky software utility products, and patches to commonly\nexploited software weaknesses. However, the review revealed four areas where improvements\nin control are recommended. The Office of Inspector General (OIG) is currently working with\nAMD-IM to address these areas. While the Commission cannot be assured that a skilled and\ndeliberate "hacker" cannot penetrate internal FCC computers via the internet, we believe that\nAMD-IM has taken necessary and prudent measures to minimize this risk.\n\nThe Internet Penetration Report (OIG Report Number 95-3) is being maintained in a secure file\narea within the OIG. The report will not be disseminated due to the risk that sensitive\ninformation contained in the report could be used in a manner inconsistent with the normal\noperations of the Commission. If you would like to discuss this review, or require a copy of the\nreport, please contact me at 418-0470.\n\n\n\n\n                                                    H. Walker Feaster III\n\ncc: Chief of Staff\n  Managing Director\n\x0cREVIEW OBJECTIVE\n\nThe objective of this analysis was to attempt to penetrate the internal Federal Communications\nCommission (FCC) network from an external source through the internet, identify any potential\nweaknesses in the system security infrastructure, and document the controls in place to prevent a\nsuccessful penetration.\n\nREVIEW SCOPE\n\nThe scope of this analysis was limited to that of a technically skilled individual with internet\naccess but no internal knowledge of the Commission or its computing environment. In addition,\nthe scope was restricted to activities that were within the limitations of acceptable internet use\npolicies (as proscribed by internet provider services) and all applicable federal, state, and local\nlaws. It should be noted that a malicious attacker would not necessarily be concerned about such\nrestrictions. Furthermore, the scope did not address exposures that could occur through acts of\nfraud or collusion.\n\nThe Office of Inspector General (OIG) selected the Certified Public Accounting firm of Coopers\n& Lybrand L.L.P. (C&L) through a competitive procurement to attempt to penetrate the FCC\nusing the same readily available techniques an unauthorized party or "hacker" would employ.\nOfficials in the office of the Associate Managing Director - Information Management (AMD-\nIM) were notified in advance and entered into a cooperative arrangement with the OIG to\nfacilitate this project. As part of this agreement, AMD-IM personnel were involved in the\nplanning of the penetration analysis and visited C&L\'s computer laboratory located in Floral\nPark, New York during testing. In return, AMD-IM officials agreed to ensure the integrity of the\nproject by making only routine adjustments to the configuration of the FCC\'s internal operating\nsystem pending conclusion of the audit field work.\n\nTo conduct the review, computer professionals from C&L developed a custom methodology to\nguide the penetration efforts. The methodology employed was as follows:\n\n       {gathered information about FCC resources recognized on the internet (e.g., public host,\n             firewall, etc.),\n\n       {manually probed available hosts to determine the existence of published security\n            weaknesses and to identify specific accounts to target for "brute force" password\n            attacks, and\n\n       {used readily available automated software "tools" to attack these resources.\n\nAmong the automated tools used in the review was a recently released product called Systems\nAdministrator Tool for Analyzing Networks (SATAN). SATAN was developed as a security\ntool which systems administrators can use to identify particular vulnerabilities in their networks.\n However, once released into the public domain on April 7, 1995, SATAN became another tool\nwhich could be employed by hackers to attack systems.\n\x0cBACKGROUND\n\nIn February 1994 the FCC established connectivity to the internet. The FCC internet connection\nsupports three functions: (1) the ability to send and receive mail, (2) access to databases and files\non other internet systems, and (3) the making of FCC information and data available to other\ninternet users. Since it\'s implementation, internal and external use of the FCC connection has\nbeen heavy. The Commission has made hundreds of documents available for public review,\nprovided extensive round by round coverage results of spectrum auction activities, and supported\ne-mail traffic of approximately 5000+ messages per day.\n\nIn response to the success of internet access, and as a result of increased customer demand, the\nFCC is currently pursuing various initiatives for expanding the Commission\'s use of the internet.\n Specific initiative items include posting engineering databases, enabling MOSAIC access from\nFCC workstations, and allowing access to FCC bulletin board systems through the internet. The\ntotal cost of these initiatives in AMD-IM\'s FY 1995 IRM budget is $1,325,000.\n\nAlthough the opportunities afforded by the internet are numerous, the risks associated with\nconnectivity can be significant. Reports of attacks on internet hosts are increasing and the level\nof sophistication associated with these attacks is also on the rise. Many individuals who have\neither been apprehended by law enforcement agencies, or have boasted of their exploits, have\nlisted government agencies and Fortune 500 companies as prime attack goals. The nature of the\nwork the FCC conducts, and the leadership role being taken by the Commission in the\ndevelopment of the information superhighway make the FCC host a likely target for attack. For\nthis reason, it is especially important for the Commission to secure it\'s valuable and high-profile\ninformation.\n\nREVIEW FINDINGS\n\nOur initial attempts at penetration focused on the FCC\'s firewall. In the Commission\'s\ncomputing environment, a firewall is a computer used to manage traffic between the internet and\nthe internal FCC network. A primary function of a firewall is to prevent unauthorized access to\ninternal data. Based on the testing conducted, the audit team concluded that the FCC\'s firewall\nappeared to be properly configured (i.e., sensitive utilities were disabled, published weaknesses\nwere patched, etc.).\n\nFollowing unsuccessful efforts to compromise the FCC firewall, the focus of the attack shifted to\nthe Commission\'s router and the public host that serves as the anonymous FTP, gopher, world\nwide web, and backup mail server. The intent of this approach was to obtain "root" access to the\npublic host and launch a spoofing attack on the firewall (i.e., appearing to the firewall as an\ninternal host). Although this objective was not met, concerns related to the configuration of the\npublic host were identified. The OIG is working with representatives from AMD-IM to address\nthese concerns. For purposes of security, the details of these issues are not detailed in this\ndocument.\n\nBased upon the knowledge gained in this review, the OIG plans to continue to perform work in\nthe computer security area. Projects are currently being formulated to ensure that the\n\x0cCommission has developed adequate levels of internal controls to address the risks that reside in\ncomplex automated networks such as that being used by the Commission.\n\x0c'